Meridian Cyber is a new Huntsville-based consulting firm founded to deliver Risk Management Framework authorization services to the Defense Industrial Base. The practice is built on the founder’s direct, hands-on RMF experience — and on a simple commitment: senior-level attention on every engagement, no exceptions.
One-page PDF · UEI · CAGE · NAICS · core competencies · past performance
The authorization process rewards precision, discipline, and institutional memory. Most small and mid-sized defense contractors don’t have the bandwidth to build those muscles in-house. That’s where we operate.
These represent program environments the founder has worked in during prior employment — not engagements delivered by Meridian Cyber LLC. The firm is newly established and actively pursuing its first client contracts. Edit this list to reflect your actual program familiarity.
Six service lines aligned to the Risk Management Framework. Each engagement has defined scope, deliverables, and success criteria — never open-ended hours. Services are sold individually or bundled.
Comprehensive gap analysis of current security posture against applicable NIST 800-53 controls. Defensible roadmap and realistic timelines to authorization.
End-to-end Risk Management Framework execution. Categorization, control selection, SSP authoring, evidence collection, eMASS submission, AO engagement.
Accelerated package development for Interim Authority to Test. Systems onto connected test environments quickly, with a clean transition path to full ATO.
Stand-alone authoring of System Security Plans, control implementation narratives, POA&Ms, and evidence packages. Built for assessor scrutiny.
Post-ATO sustainment. POA&M management, annual security reviews, configuration change assessments, re-authorization preparation. Monthly retainer.
Specialized consulting for client teams working in DoD systems of record. Package hygiene, workflow coaching, and rescue of stalled efforts.
Meridian Cyber is a newly established consulting practice. We believe in being direct about that — because the founder’s track record in prior roles, not a pretend corporate history, is what earns a first conversation. This section exists to make the distinction clear.
A newly formed Alabama LLC dedicated to RMF and authorization services. SAM.gov registration is in progress. The firm has no completed client engagements yet — and is open about that.
The founder has shepherded ATO packages through the full Risk Management Framework process in prior roles, with operational experience in eMASS. That individual experience — not a pretend firm history — is the foundation of Meridian Cyber’s value.
New firms bring something established consultancies cannot: the founder is the practitioner. Every engagement gets principal attention. No junior analysts learning on your package. No layered hierarchies. Lean structure, competitive rates, direct accountability.
Every engagement begins with scoping discipline and ends with defensible documentation. We don’t improvise — we apply a methodology the founder has executed in prior RMF work, with measurable gates at each phase.
System boundary definition, FIPS 199 categorization, overlay identification, authorization pathway decisions. The work that prevents rework.
Gate: Package Plan ApprovedControl selection aligned to categorization, implementation guidance for your engineering team, and early evidence collection planning.
Gate: Controls SelectedSSP authoring, POA&M development, evidence package assembly, and eMASS submission ready for independent Security Control Assessment.
Gate: eMASS SubmittedAssessor support through the SCA, AO engagement, and transition into continuous monitoring cadence after authorization is granted.
Gate: ATO GrantedDefense contractors don’t hire RMF consultants in the abstract — they hire them to solve specific, expensive problems. These are the ones we handle.
A prime puts a CUI-handling requirement in your statement of work and you have no idea where to start. We take you from zero to submitted package without making you learn the framework yourself.
Assessor findings keep piling up, your prior consultant is out of ideas, and the schedule is slipping. Package rescue is work the founder has done before — diagnosing what broke and restructuring what remains is well within scope for us.
The tool is unforgiving, and most cybersecurity consultants have never actually used it. We’re eMASS-fluent — comfortable with workflows, package hygiene, and the quirks assessors flag.
Tier-1 consultancies charge $400–$600/hour and bury you in process. We deliver senior-level execution at defensible rates — no layered hierarchies, no junior analysts on your package.
Your engineering team is delivering capability; you can’t ask them to stop and write control narratives. We shield your technical staff from compliance paperwork while still capturing what the package needs.
Huntsville-based, clearance-active, on-site-capable. We show up when the work benefits from in-person engagement — working sessions, AO briefings, prime coordination meetings.
In federal contracting, clients want to know exactly who will be on their package. Meridian Cyber is a principal-led practice — the person you meet is the person who executes.
Meridian Cyber was founded by a cybersecurity practitioner with direct, hands-on experience shepherding ATO packages through the full Risk Management Framework lifecycle in prior roles. That individual experience — responding to eMASS findings, sitting through SCA interviews, watching AOs make risk decisions — is the foundation of the firm.
Meridian Cyber itself is new. The firm has no delivered client engagements yet, and we believe in being direct about that. What we offer is the founder’s practitioner experience, applied directly to your package, at rates a small firm structure makes possible. Your engagement will be the founder’s work — not a junior analyst’s learning curve.
We’re actively pursuing first client engagements and open to subcontract roles, teaming arrangements, and direct small-business contracts. Detailed professional references from prior roles are available on request.
A consultant who mishandles your CUI is a liability, not an asset. Meridian Cyber operates with the same data handling standards we advise clients to implement — the posture that allows us to work with sensitive material safely and credibly.
Government Community Cloud High tenant for all client-sensitive work. DFARS 7012 and FedRAMP Moderate Equivalent authorized for CUI handling.
Internal security posture aligned to the same 800-171 controls we’ll advise clients to implement. We run the program we help others build.
AI-augmented delivery for efficiency — but only in approved environments. Public LLMs never touch CUI; authorized tooling only for client data.
Meridian Cyber is registered in federal contracting systems and carries the designations and insurance posture required for immediate engagement on DoD work, either directly or as a subcontractor.
Meridian Cyber actively pursues prime subcontractor roles, teaming arrangements, and joint ventures where our RMF capabilities strengthen a broader offering. Direct outreach from prime small business liaisons, capture managers, and teaming partners is welcomed.
Whether you need a readiness assessment, a full package, help with a stalled effort, or a subcontractor on a capture — start with a conversation. Most initial discussions take thirty minutes and result in a clear scope before any commitment.